Deck 10 Accounting Information Systems

Romney and SteinbartLinda BatchMarch 2012

Learning Objectives• IS Controls for System Reliability• Confidentiality and Availability

– Encryption– Process Controls – Input, Processing, Output– Availability

• Work on Assignment 4• Quiz (Chapter 7 and Chapter 8)

Chapter 9 – Preserving Confidentiality

• Intellectual property often is crucial to the to the organization’s long run competitive advantage

• Actions must be taken to preserve confidentiality:

– Identification and classification of information to be protected

– Encryption of sensitive information– Controlling access to sensitive information– Training

Chapter 9 – Encryption

• Encryption is a preventive control that can be used to protect both the confidentiality and privacy

• Encryption is the process of transforming normal content called plain text to unreadable gibberish, call ciphertext.

• Decryption reverses this process

Chapter 9 – Encryption

• Three factors determine the strength of the encryption– key length – longer keys provide stronger encryption by reducing the

number of repeating blocks– encryption algorithm – are designed to resist brute-force guessing

techniques– policies for managing the cryptographic keys – the most vulnerable

aspect of the encryption system hence cryptographic keys must be stored very securely

Chapter 9 – Encryption

• Cryptographic keys must be stored securely and protected with strong access controls.

• Best practices include not storing cryptographic keys in a browser or any other file that others users of that system can readily access and using a strong and long passphrase to protect the keys

• Organizations must have a way to decrypt data in the event the employee who encrypted it is no longer with the organization– Use software with a built in master key– Use key escrow – make copies of all encryption keys and used by

employees and store these copies securely

Chapter 9 – Encryption

• Types of Encryption Systems– Symmetric Encryption – use the same code to encrypt and decrypt

(DES and AES are examples)– Asymmetric Encryption – different system to encrypt an decrypt –

public key and private key (RSA and PGP)– Symmetric encryption is faster but it is less secure– Hashing

• takes plain text of any length and splits it into a short code called a hash• hashing algorithms will not recreate the document in the original plain text format• Good for verifying that the contents of a message have not been altered

Chapter 9 – Encryption

• Types of Encryption Systems Continued– Digital signatures

• Nonrepudiation – how to create legally binding agreements that cannot be unilaterally repudiated by either party

• Use hashing and asymmetric encryption simultaneously• Proof that a document has not been altered and proof of who created the file

– Digital Certificates• Electronic document that contains and entities public key and certifies the

integrity of the owner of that particular public key

– Public Key Infrastructure• Issuing pairs of public and private keys and corresponding digital certificates

Chapter 9 – Encryption

• Types of Encryption Systems Continued– Virtual Private Networks (VPN)

• Information must be encrypted within a system but also when it transmits over the internet

• Encrypted information, when it traverses the internet, creates a virtual private network (VPN)

• The VPN software that encrypts information while it transmits over the internet effectively creates private tunnels for those that have the keys

Chapter 10 – Processing Integrity

• Input Data integrity– Source documents should be prepared by authorized personnel– Forms Design– Cancellation and storage of source documents– Data entry controls

• Field check, sign check, limit check, range check, size check, completeness check, validity check, reasonableness check

– Additional batch processing and data entry controls• Sequence check, error log, batch totals

Chapter 10 – Processing Integrity

• Processing Controls– Data matching – two or more items of data must be matched prior to

processing– File labels – ensure the most current files are being updated– Recalculation of batch totals– Cross-footing and zero balance test– Write protection mechanisms that stop overwriting of data– Concurrent update controls – only one user update records at a time

Chapter 10 – Processing Integrity

• Output Controls– User review of output– Reconciliation procedures– External data reconciliation– Data transmission controls (check sums and parity bits)

Chapter 10 – System Availability

• Minimize downtime and ensure efficient return to normal operations

• Ensure there is a contingency plan to get the system running

Chapter 10 – System Availability

• Lost data needs to be considered plus the data that is not being collected while the system is down

• Recovery point objective (RPO) – how much data is the organization willing to lose

• Recovery time objective (RTO) – the length of time the organization is willing to operate without the AIS

• These feed into the data recovery plan and the business continuity plan

Week 9 – Summary

• We are still talking about controls for system reliability• This week’s specific topics are confidentiality and availability

– Encryption - what is it– What makes encryption strong– Various types of encryption systems

• Data input integrity• Data processing integrity• Information output integrity• System uptime (downtime)

– Recovery point objective, Recovery time objective

• Quiz Next Week on Chapter 9 and 10